Insider risk management – who’s the boss?

Where the buck should stop…why and why not.

As the saying goes, “a house divided against itself cannot stand.” Similarly, an insider risk management program or an insider threat program (ITP) will also fail without a clearly defined leader. Too often, companies fail to appoint a leader out of a “team approach” mentality or out of deference to current management fiefdoms. The result of putting everyone in charge is that no one is in charge.

This doesn’t require an insider threat “czar” with total control and veto authority over all things related to insider risk management. What is required, however, is an individual who is ultimately responsible for fostering collaboration across functions, bolstering capabilities, and measuring and reporting progress to leadership. The government refers to this role as the “senior official” responsible for managing insider threat. In corporate America, this official may be any of the following: CRO, CSO, CISO or CAO.

Chief Risk Officer

The CRO may be the best person to lead the ITP. This largely depends, however, on the scope and role of the CRO itself. Some CROs focus only on the strategic risk of the company. They set organizational risk tolerances and may develop methodologies for capturing and measuring risk postures. In this model, the operational risk is still wholly “owned” by the operational leaders (CSO, CISO, business units, etc.). CROs that fall into this category are not well positioned to lead an ITP because they lack the visibility and operational granularity required for an ITP.

Other CROs, however, focus on both strategic and operational risk of the company. They not only set organizational risk tolerances, but also are involved in measuring, managing, and improving the operational risk posture of the organization. CROs in this group are well positioned to lead the ITP. They will often have the necessary high-level authority (report to CEO, Audit Committee, etc.) and by virtue of their scope, will also have the necessary relationships across all functions of the organization (business units, legal, HR, CSO, CISO, etc.). While the “ownership” of the risk itself may still be the purview of the operational leaders, CROs in this group will often have joint responsibility and reporting requirements. Thus, making them a vested and empowered leader ideally suited to lead a cross functional program like an ITP.

Chief Security Officer

A logical choice to lead the ITP is the CSO. They often have existing working relationships across the organization including legal, HR, risk, and cyber. This grants them the necessary perspective and influence to foster collaboration on improving insider threat capabilities. Some CSOs, however, lack a comfortable understanding of the technical aspects of insider threat management and may not feel empowered to lead the ITP.

For example, insider threat tools are often owned by the CISO and thus are responsible for the testing, implementation, and maintenance of each tool. This can be a heavy lift in both human capital and financial resources. As such, CISOs are and need to be heavily engaged in any ITP. This fact notwithstanding, CSOs can still be effective ITP leaders by creating solid working relationships and workflows between functional organizations, including the CISO, and leveraging the collective expertise of all groups.

Chief Information Security Officer

The traditional choice to lead the ITP is the CISO. Insider threat has been traditionally viewed as a subset of cyber security. As such, CISOs are the logical choice to lead any efforts designed to manage threats to the organization – internal or external. This view is changing, however, as insider threat is a unique discipline that encompasses a broad range of security, HR, cyber, and legal disciplines. CISOs are also, almost exclusively, focused on “digital” security or data-centric security. Insider threat is by definition a human problem, not a data problem. As a result, CISOs may unduly limit the scope of an ITP by virtue of the scope of their role and function.

Moreover, CISOs that report to the CIO (which is common) arguably have a natural conflict of interest. The mandate of the CIO is to ensure the confidentiality, integrity, and availability of information (i.e. make sure employees can do their jobs). This mandate isn’t always in alignment with the security needs pertaining to insider threat, which may result in funding for insider threat being delayed or limited at the expense of other CIO priorities.

Chief Administrative Officer/General Counsel/Human Resources

While not the traditional leaders of an ITP, senior executives in this group may become the de facto leaders by virtue of how the organization is structured. In some organizations the Chief Administrative Officer (CAO) is a dual-hatted role that may also be the General Counsel or Chief of HR. In these scenarios, some security functions may also report up to the CAO. Thus, many of the ITP functions and responsibilities may flow up to the CAO. The CAO will often have the ear of other top executives and as a result can be a strong enabler of the ITP. This governance structure may work if the CAO is supported by a strong group of senior security leaders. Without strong senior and mid-level managers, this model will lack direction and subject-matter expertise required to properly develop, implement, and sustain an ITP.

The emerging role of Insider Threat Director

Corporations are beginning to create new director and SVP roles to vest the operational duties of managing the insider threat program and spearhead its implementation. Various titles are used such as: Director of Insider Trust, Insider Risk Director, SVP Employee Trust, etc., but the objective remains to provide direction for the ITP. These roles are and will be of increasing importance as companies continue to expand and mature their capabilities for managing insider risk.

While the role is arguably one that should ultimately report directly to the CEO, it will take some time for the role to mature to that point. This role will likely follow the growth path of the CISO and over the next several years will take its rightful “seat at the table.” In the meantime, it should continue to mature and grow under the direction of the chief executives described above and be the ITP operational leader.

Shawn M. Thompson is the founder of Insider Threat Management Group, LLC, which provides strategic cyber security and insider risk management advisory services and training to the private sector. He is a member of the Maryland Bar and has nearly 20 years’ experience as a former federal prosecutor, Special Agent and risk management executive. He is a frequent keynote speaker, lecturer and author of the book Insider Threat Program – Your 90-Day Plan.